b'NATIONAL CREDIT UNION ADMINISTRATION\n     OFFICE OF INSPECTOR GENERAL\n\n\n\n\n          INDEPENDENT EVALUATION OF THE\n      NATIONAL CREDIT UNION ADMINISTRATION\'S\n     COMPLIANCE WITH THE FEDERAL INFORMATION\n       SECURITY MANAGEMENT ACT (FISMA) 2013\n\n                  Report# OIG-13-12\n                  November 22, 2013\n\n\n\n\n                      James Hagen\n                    Inspector General\n\n\n                      Released by:\n\n\n                   f)\'   I(Jjijf_\n                     W. Marvin Stith, CISA\n            Sr. Information Technology Auditor\n\n\n\n\n           Restricted - For Official Use Only\n\x0c                                    Table of Contents\n\nSection                                                                           Page\n\n   I      EXECUTIVE SUMMARY                                                                  1\n\n  II      BACKGROUND                                                                         2\n\n  III     OBJECTIVE                                                                          3\n\n  IV      METHODOLOGY AND SCOPE                                                              4\n\n  V       RESULTS IN DETAIL                                                                  5\n\n            1. NCUA needs to improve its Continuous Monitoring Program                       5\n\n            2. NCUA needs to improve its Risk Management Program                             7\n\n            3. NCUA needs to improve its Configuration Management Program                    7\n\n            4. NCUA needs to improve Remote Access Controls                                  9\n\n            5. NCUA needs to improve its Security Awareness Training                     11\n               Program\n\n            6. NCUA needs to improve Oversight of its Contractor Systems                 12\n\n  VI       APPENDIX\n\n           A.   NCUA Management Comments                                                 15\n\n\n\n\n                                                        Restricted \xe2\x80\x93 For Official Use Only\n                                             i\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n                                          I. EXECUTIVE SUMMARY\n\nThe Office of Inspector General (OIG) for the National Credit Union Administration\n(NCUA) engaged Mitchell & Titus, LLP (Mitchell & Titus)1 to independently evaluate\nNCUA\xe2\x80\x99s information systems and security program and controls for compliance with the\nFederal Information Security Management Act (FISMA), Title III of the E-Government\nAct of 2002.\n\nMitchell & Titus evaluated NCUA\xe2\x80\x99s security program through interviews, documentation\nreviews, technical configuration reviews, and sample testing. Mitchell & Titus evaluated\nNCUA against such laws, standards, and requirements as those provided through\nFISMA, the E-Government Act, National Institute of Standards and Technology (NIST)\nstandards and guidelines, the Privacy Act, and Office of Management and Budget\n(OMB) memoranda and security and privacy policies.\n\nNCUA has worked to significantly strengthen its information security and privacy\nprograms during Fiscal Year (FY) 2013. We believe that many of the improvements\nwithin the agency\xe2\x80\x99s information security program are the result of the acquisition of\nadditional dedicated resources within the Office of the Chief Information Officer to\naddress information security issues. However, while NCUA continues to make\nimprovements in the following areas, we identified remaining issues in these areas from\nlast year\xe2\x80\x99s FISMA review that NCUA officials need to address:\n\n       \xe2\x80\xa2   Finalizing its Continuous Monitoring Policies, Procedures, and Strategy;\n\n       \xe2\x80\xa2   Finalizing its Risk Management Policies and Procedures;\n\n       \xe2\x80\xa2   Improving its Configuration Management Program;\n\n       \xe2\x80\xa2   Improving its New Hire Security Awareness Training Program; and\n\n       \xe2\x80\xa2   Improving Oversight and Management of its Contractor Systems.\n\nIn addition, we identified a new finding pertaining to NCUA\xe2\x80\x99s remote access program.\nWe made nine recommendations in these areas, which would help NCUA continue to\nimprove its information security program. Furthermore, we conducted a vulnerability\nassessment of NCUA\xe2\x80\x99s network components this year. NCUA had very few findings\nfrom this assessment. We will provide the results separately to NCUA for review,\nresponse and corrective action.\n\nWe appreciate the courtesies and cooperation provided to our staff and Mitchell & Titus\nstaff during this audit.\n\n\n\n1\n    Mitchell & Titus, LLP is a member firm of Ernst & Young Global Limited.\n\n                                                                              Restricted \xe2\x80\x93 For Official Use Only\n                                                            1\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n                                             II. BACKGROUND\n\nThis section provides background information on the Federal Information Security\nManagement Act (FISMA) and the National Credit Union Administration (NCUA).\n\nFederal Information Security Management Act\n\nThe President signed into law the E-Government Act (Public Law 107-347), which\nincludes Title III, Information Security, on December 17, 2002. The Federal Information\nSecurity Management Act (FISMA) permanently reauthorized the framework laid out in\nthe Government Information Security Reform Act of 2000 (GISRA), which expired in\nNovember 2002. FISMA continues the annual review and reporting requirements\nintroduced in GISRA. In addition, it includes new provisions aimed at further\nstrengthening the security of the Federal government\xe2\x80\x99s information and information\nsystems, such as development of minimum standards for agency systems. In general,\nFISMA:\n\n    \xe2\x80\xa2   Lays out a framework for annual information technology security reviews,\n        reporting, and remediation plans;\n\n    \xe2\x80\xa2   Codifies existing OMB security policies, including those specified in Circular\n        A-130, Management of Federal Information Resources, and Appendix III;\n\n    \xe2\x80\xa2   Reiterates security responsibilities outlined in the Computer Security Act of 1987,\n        Paperwork Reduction Act of 1995, and Clinger-Cohen Act of 1996; and\n\n    \xe2\x80\xa2   Tasks NIST with defining required security standards and controls for Federal\n        information systems.\n\nThe Department of Homeland Security (DHS) issued the FY 2013 reporting metrics,\nwhich provide measures against which agency Chief Information Officers, Offices of\nInspector General, and Senior Agency Officials for Privacy assess the status and\ncompliance of agencies\xe2\x80\x99 information security and privacy management programs. 2 On\nNovember 18, 2013 OMB issued the Fiscal Year (FY) 2013 Reporting Instructions for\nthe Federal Information Security Management Act and Agency Privacy Management.\nThis document provides instructions for meeting agencies\xe2\x80\x99 FY 2013 reporting\nrequirements under FISMA. It also includes reporting instructions on agencies\xe2\x80\x99 privacy\nmanagement programs. Furthermore, it includes the requirement for Chief Information\nOfficers of CIO Council member agencies to submit monthly data feeds.\n\n\n\n\n2\n DHS is exercising primary responsibility within the Executive Branch for the operational aspects of Federal agency\ncyber security with respect to the Federal information systems that fall within FISMA under 44 U.S.C. \xc2\xa73543.\n\n                                                                            Restricted \xe2\x80\x93 For Official Use Only\n                                                         2\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\nNational Credit Union Administration (NCUA)\n\nNCUA is the independent Federal agency that charters, supervises, and insures the\nnation\xe2\x80\x99s Federal credit unions. NCUA insures many state-chartered credit unions as\nwell. NCUA is funded by the credit unions it supervises and insures. NCUA\'s mission is\nto foster the safety and soundness of Federally-insured credit unions and to better\nenable the credit union community to extend credit for productive and provident\npurposes to all Americans, particularly those of modest means.\n\nNCUA strives to ensure that credit unions are empowered to make necessary business\ndecisions to serve the diverse needs of its members and potential members. It does\nthis by establishing a regulatory environment that encourages innovation, flexibility, and\na continued focus on attracting new members and improving service to existing\nmembers.\n\nNCUA has a full-time three-member Board (NCUA Board) consisting of a chairman and\ntwo members. The members of the board are appointed by the President of the United\nStates and confirmed by the Senate. No more than two board members can be from\nthe same political party, and each member serves a staggered six-year term. The\nNCUA Board regularly meets in open session each month, with the exception of August,\nin Alexandria, Virginia.\n\n                                              III. OBJECTIVE\n\nThe audit objective was to perform an independent evaluation of NCUA information\nsecurity and privacy management policies and procedures for compliance with FISMA\nand Federal regulations and standards. We evaluated NCUA\xe2\x80\x99s efforts related to:\n\n    \xe2\x80\xa2   Efficiently and effectively managing its information security and privacy\n        management programs;\n\n    \xe2\x80\xa2   Meeting responsibilities under FISMA; and\n\n    \xe2\x80\xa2   Remediating prior audit weaknesses pertaining to FISMA and other security and\n        privacy weaknesses identified.\n\nIn addition, the audit was required to provide sufficient supporting evidence of the status\nand effectiveness of NCUA\xe2\x80\x99s information security and privacy management programs to\nenable reporting by the OIG.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        3\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n                                 IV. METHODOLOGY AND SCOPE\n\nWe evaluated NCUA\xe2\x80\x99s information security and privacy management programs and\npractices against such laws, standards, and requirements as those provided through\nFISMA, the E-Government Act, NIST standards and guidelines, the Privacy Act, and\nOMB memoranda and security and privacy policies.\n\nDuring this audit, we assessed NCUA information security and privacy management\nprograms in the areas identified in The Department of Homeland Security\xe2\x80\x99s FY 2013\nInspector General FISMA Reporting Metrics. These areas included: continuous\nmonitoring management, configuration management, identity and access management,\nincident response and reporting, risk management, security training, POA&M, remote\naccess management, contingency planning, contractor systems, and security capital\nplanning. In addition, we conducted a vulnerability assessment of NCUA\xe2\x80\x99s network\ncomponents.\n\nWe conducted our fieldwork from July 2013 through November 2013. We performed\nour audit in accordance with generally accepted government auditing standards. The\nstandards require that we plan and perform the audit to obtain sufficient and appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objectives.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        4\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n                                        V. RESULTS IN DETAIL\n\nInformation security and privacy program planning and management controls are\ndesigned to provide the framework and continuing cycle of activity for managing risk,\ndeveloping security and privacy policies, assigning responsibilities, and monitoring the\nadequacy of information security- and privacy-related controls. NCUA has made\nsignificant progress in addressing last year\xe2\x80\x99s reported deficiencies; however, some prior\nyear deficiencies remain. In addition, we identified a new deficiency in the area of\nremote access that requires management\'s attention. Below we discuss the issues that\nremain from the prior year and the remote access issue.\n\nThis year, we also conducted a vulnerability assessment of NCUA\xe2\x80\x99s network\ncomponents. NCUA had very few findings from this assessment. We will provide the\nresults separately to NCUA for review, response, and corrective action. We note that\nNCUA immediately remediated some of the issues from the vulnerability assessment.\n\n\n1. NCUA needs to improve its Continuous Monitoring Program\n\nWhile NCUA has continued to improve its continuous monitoring program and has many\nof the components with which to build a robust program, NCUA has not finalized its\npolicies and procedures. In addition, it has not fully integrated the various components\nof its information security program into a strategy that facilitates near real-time\nmonitoring and risk management. This finding includes issues in the following areas\nthat we address in other sections of the report:\n\n    \xe2\x80\xa2   Risk management policies and procedures (see page 6);\n\n    \xe2\x80\xa2   Configuration management of Macintosh computers(see page 7); and\n\n    \xe2\x80\xa2   Oversight of contractor systems (see page 11).\n\nNIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information\nSystems and Organizations (August 2009 with updates as of May 1, 2010), guides that\nagencies should establish a continuous monitoring strategy and implement a continuous\nmonitoring program that includes: A configuration management process for the\ninformation system and its constituent components; a determination of the security\nimpact of changes to the information system and environment of operation; ongoing\nsecurity control assessments in accordance with the organizational continuous\nmonitoring strategy; and reporting the security state of the information system to\nappropriate organizational officials.\n\nNIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal\nInformation Systems and Organizations (September 2011), guides that Information\nSecurity Continuous Monitoring (ISCM) supports agency risk management decisions\ne.g., risk response decisions, ongoing system authorization decisions, Plans of Action\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        5\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\nand Milestones (POA&M) resource and prioritization decisions, etc. It also indicates\nthat maintaining an up-to-date view of information security risks across an organization\nrequires the involvement of the entire agency, from senior leaders providing governance\nand strategic vision to individuals developing, implementing, and operating individual\ninformation systems in support of the organization\xe2\x80\x99s core missions and business\nfunctions.\n\nNIST SP-800-37, Revision 1, Guide for Applying the Risk Management Framework to\nFederal Information Systems: A Security Life Cycle Approach (February 2010), guides\nthat a robust continuous monitoring program requires the active involvement of\ninformation system owners and common control providers, chief information officers,\nsenior information security officers, and authorizing officials. The monitoring program\nallows an organization to: track the security state of an information system on a\ncontinuous basis; and maintain the security authorization for the system over time in\nhighly dynamic environments of operation with changing threats, vulnerabilities,\ntechnologies, and missions/business processes.\n\nNCUA indicated it did not have dedicated information security resources until late in the\nyear to work on completing the documentation of its Continuous Monitoring policies and\nprocedures and to establish a comprehensive strategy that covers all components of its\ncontinuous monitoring Program.\n\nBy improving and implementing a comprehensive continuous monitoring program,\nNCUA will be more aware of and better prepared to respond to potential threats and\nvulnerabilities. Ultimately, NCUA will be able to better protect the confidentiality,\nintegrity, and availability of its systems and data.\n\nRecommendation: We recommend that NCUA management:\n\n    1. Complete the documentation and implementation of comprehensive continuous\n       monitoring strategies, policies and procedures in accordance with guidance\n       under Information Security Continuous Monitoring, the Risk Management\n       Framework and other NIST guidance.\n\nAgency Response:\n\nOCIO plans to complete the documentation and implementation of its Continuous\nMonitoring program by December 31, 2014.\n\nOIG Response: The OIG Concurs.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        6\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n2. NCUA needs to improve its Risk Management Program\n\nNCUA has made significant progress since FY 2012 in implementing a comprehensive\nrisk management program. Specifically, NCUA addressed most of the deficiencies in\nthis area from last year and has drafted its Risk Management Framework policies and\nprocedures in its Information System Security Policy and Procedure Handbook (System\nSecurity Handbook). However, NCUA is still in the process of finalizing the System\nSecurity Handbook.\n\nThe Risk Management Framework - as prescribed by NIST SP 800-37 - is the\nfoundation for implementing and maintaining an effective information security program.\nNIST SP 800-37 provides guidelines for applying the Risk Management Framework to\nfederal information systems to include conducting the activities of security\ncategorization, security control selection and implementation, security control\nassessment, information system authorization, and security control monitoring.\n\nIn response to the FY 2012 FISMA evaluation, NCUA indicated it would address all the\nissues we identified with its Risk Management program by July 2013. While NCUA\naddressed the majority of the issues and was able to draft its Risk Management policies\nand procedures, it did not have sufficient resources to finalize the Security Handbook by\nthe stated completion date.\n\nWhen NCUA finalizes its Risk Management policies and procedures, it will have\nformally established its procedures to more adequately manage its information\nsystems-related risks and protect its data and information systems consistent with the\nRisk Management Framework.\n\nRecommendation: We recommend that NCUA management:\n\n    2. Finalize its Information System Security Policy and Procedure Handbook.\n\nAgency Response:\n\nOCIO will finalize the current draft Information System Security Policy and Procedure\nHandbook by September 30, 2014.\n\nOIG Response: The OIG Concurs.\n\n\n3. NCUA needs to improve its Configuration Management Program\n\nWhile NCUA has continued to make improvements with its configuration management\nprogram, NCUA does not have adequate configuration management policies and\nprocedures. Specifically:\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        7\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n    \xe2\x80\xa2   NCUA\xe2\x80\x99s configuration management policies and procedures do not adequately\n        address purpose, scope, roles and responsibilities; management commitment;\n        coordination among organizational entities necessary to control and manage\n        configurations; and the timely processing of remediated configurations.\n\n    \xe2\x80\xa2   For part of the calendar year, NCUA did not require or enforce that comments be\n        included when testing Change Control Requests (CCRs). As a result, NCUA did\n        not document testing evidence for most of the 117 CCRs addressed during that\n        period. NCUA implemented corrective action for this area in June 2013;\n        therefore, we will not make a recommendation to address this issue.\n\n    \xe2\x80\xa2   NCUA does not have a documented configuration baseline for its two Macintosh\n        computers and does not have a process in place to monitor and update critical\n        security patches for these computers.\n\nNIST SP 800-53, Revision 3, guides that organizations should develop, disseminate,\nand review/update a formal, documented configuration management policy that\naddresses purpose, scope, roles, responsibilities, management commitment,\ncoordination among organizational entities, and compliance; and formal, documented\nprocedures to facilitate the implementation of the configuration management policy and\nassociated configuration management controls.\n\nFIPS PUB 200, Minimum Security Requirements for Federal Information and\nInformation Systems (March 2006), requires agencies to establish and maintain\nbaseline configurations and inventories of organizational information systems (including\nhardware, software, firmware, and documentation) throughout the respective system\ndevelopment life cycles; and establish and enforce security configuration settings for\ninformation technology products employed in organizational information systems. FIPS\nPUB 200 also requires agencies to identify, report, and correct information and\ninformation system flaws in a timely manner; provide protection from malicious code at\nappropriate locations within organizational information systems; and monitor information\nsystem security alerts and advisories and take appropriate actions in response.\n\nNCUA indicated it did not have information security resources dedicated until late in the\nyear to adequately document policies and procedures and to establish a comprehensive\nprogram that covers all of the systems and devices within the NCUA environment.\n\nBy documenting and establishing a comprehensive configuration management program,\nNCUA can more effectively and efficiently monitor, manage, and patch the security\nconfigurations for all systems and devices within the NCUA information system\nenvironment. Ultimately, a more comprehensive program will help ensure NCUA\nprotects the confidentiality, integrity and availability of all the agency\xe2\x80\x99s systems and\ndata.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                        8\n\x0cReport# OIG- 13- 12: Independent Evaluation of the National Credit Union Administration\'s Compliance with the\nFederal Information Security Management Act (FISMA) 20 13\n\n\nRecommendations: We recommend that NCUA management:\n\n    3. Document a comprehensive configuration management program that includes\n       policy and procedures for monitoring, managing, and patching security\n       configurations for all systems and devices.\n\n        Agency Response:\n\n        OCIO will finalize documentation of its Configuration Management program by\n        September 30, 2014.\n\n    4. Establish and implement a baseline configuration for the Macintosh computer(s).\n\n        Agency Response:\n\n        OCIO plans to document its Macintosh computer baseline by\n        September 30, 2014.\n\nOIG Response: The OIG Concurs with management\'s responses .\n\n\n4. NCUA needs to improve Remote Access Controls\n\n\n\n\n                                                                          Restricted - For Official Use Only\n                                                        9\n\x0cReport# OIG- 13- 12: Independent Evaluation of the National Credit Union Administration\'s Compliance with the\nFederal Information Security Management Act (FISMA) 20 13\n\n\n\n\nRecommendations: We recommend that NCUA management:\n\n\n\n\n        Agency Response:\n\n\n\n\n        Agency Response:\n\n\n\n\nOIG Response: The OIG Concurs with management\'s responses.\n\n\n\n\n                                                                          Restricted - For Official Use Only\n                                                       10\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n5. NCUA needs to improve its Security Awareness Training Program\n\nWe determined NCUA\xe2\x80\x99s procedures for providing security awareness training to new\nhires are not adequate. Specifically, NCUA:\n\n    \xe2\x80\xa2   Has not established a specific timeframe within which new hires must complete\n        the agency\xe2\x80\x99s initial security awareness training.\n\n    \xe2\x80\xa2   Does not retain evidence indicating that new hires have completed their initial\n        security awareness training.\n\n    \xe2\x80\xa2   Does not have documented procedures to monitor and review the timely\n        completion of security awareness training by new hires and to enforce sanctions\n        for not completing the training.\n\nNIST SP 800-53 guides that organizations should:\n\n    \xe2\x80\xa2   Provide basic security awareness training to all information system users\n        (including managers, senior executives, and contractors) as part of initial training\n        for new users, when required by system changes, and periodically thereafter;\n\n    \xe2\x80\xa2   Document and monitor individual information system security training activities\n        including basic security awareness training; and\n\n    \xe2\x80\xa2   Retain individual training records for a specific period of time as defined by the\n        organization.\n\nNIST SP 800-16, Information Technology Security Training Requirements: A Role- and\nPerformance-Based Model (April 1998), requires training: for new employees within 60\ndays of hire.\n\nDuring the FY 2012 FISMA review, NCUA indicated it did not have the dedicated\nresources until late in the year to develop, document, implement and monitor a robust\nsecurity awareness training program that meets NIST guidance and requirements. This\nyear NCUA indicated it just recently assigned the dedicated resources to address its\nsecurity awareness training program.\n\nBy implementing a current and effective security awareness training program, NCUA\nmanagement can help ensure all personnel receive the required security training and in\na timely manner. Individuals who receive adequate and current security training and\nwho are aware of their security responsibilities will be better prepared to perform their\nassigned duties in the most secure manner. Ultimately, this helps protect the\nconfidentially, availability, and integrity of NCUA systems and data.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                       11\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\nRecommendation: We recommend that NCUA:\n\n        7. Develop and document a new hire security awareness training program that\n           provides for:\n\n             a. Monitoring, tracking, and reviewing the timely completion of new hire\n                training; and\n\n             b. Enforcing sanctions for not completing security awareness training within\n                the required time-frame.\n\nAgency Response:\n\nOCIO will update the new hire training process and procedures and address\nenforcement of sanctions by March 31, 2014.\n\nOIG Response: The OIG Concurs with management\xe2\x80\x99s response.\n\n\n6. NCUA needs to improve Oversight of its Contractor Systems\n\nNCUA has not fully implemented a formal contractor system oversight management\nprocess in alignment with current federal guidelines. Specifically:\n\n    \xe2\x80\xa2   Current NCUA policies and procedures do not provide sufficient guidance in\n        regards to how NCUA should monitor and assess information security\n        requirements for its contractor systems. As a result, NCUA does not have a\n        formal process in place:\n\n             o For maintaining sufficient assurance that security controls of contractor\n               provided or hosted systems and services are effectively implemented and\n               comply with federal and NCUA guidelines;\n\n             o To ensure it obtains the System Security Plans (SSPs) of contractor\n               systems. Specifically, NCUA does not have the SSPs for any of its eight\n               (8) contractor systems; and\n\n             o For classifying contractor systems as FISMA-reportable systems and\n               cloud systems within its system inventory.\n\n    \xe2\x80\xa2   For the six of its eight (8) contractor systems, NCUA either (a) did not receive the\n        Memorandums of Understanding or Interconnection Security Agreements\n        (MOU/ISA) necessary to review and monitor the service agreement; or (b) the\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                       12\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n        SOC 1 (Service Organizations Control) reports 5 NCUA received did not include\n        adequate security information as indicated by NIST guidance:\n\n    \xe2\x80\xa2   Not all the NCUA functional owners of the contractor systems are identified.\n\nNIST SP 800-53 guides that organizations develop and maintain an inventory of its\ninformation systems. In addition, NIST SP 800-53 guides that organizations authorize\nconnections from their information systems to other information systems outside of the\nauthorization boundary through the use of Interconnection Security Agreements, and\ndocument - for each connection - the interface characteristics, security requirements\nand the nature of the information communicated; and monitor the interconnections on\nan ongoing basis to verify enforcement of security requirements.\n\nOCIO is centrally responsible for the security of all systems operating in the NCUA\nenvironment. However, functional system owners - who are responsible for obtaining\nand maintaining the security documentation for contractor systems - do not always\nconsult with or seek approval from OCIO regarding appropriate security documentation.\nTherefore, NCUA management has not been able to effectively monitor all contractor\nsystems and ensure compliance of these systems with Federal and NCUA information\nsecurity requirements.\n\nBy centrally managing its contractor oversight process, NCUA can have better\nassurance that contractor systems operating in or connected to the NCUA systems\nenvironment have the same information security measures implemented as NCUA\xe2\x80\x99s\nsystems. As a result, NCUA could better ensure that its network is protected against\nthreats and better ensure the confidentiality, integrity, and availability of NCUA data and\ninformation systems.\n\nRecommendations: We recommend that NCUA:\n\n    8. Designate OCIO as centrally responsible for managing and overseeing the\n       security requirements for NCUA\xe2\x80\x99s contractor systems.\n\n    Agency Response:\n\n    This recommendation requires coordination between multiple offices to recognize\n    OCIO as the party responsible for overseeing security requirements for contractor\n    systems. OCIO will work with relevant offices to update procurement procedures by\n    September 30, 2014.\n\n\n    9. Develop a formal process for maintaining sufficient assurance that security\n       controls for contractor systems are effectively implemented, to include:\n\n5\n SOC 1 reports effectively replaced SAS 70 reports as of June 15, 2011. The reports provide a means of reporting\non the system of internal control for purposes of complying with internal control over financial reporting.\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                       13\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n             a. A centrally maintained and monitored inventory of contractor systems;\n\n             b. Periodic review of the system inventory (at least annually) to determine\n                that all systems have been appropriately categorized as agency or\n                contractor systems as well as cloud or non-cloud systems;\n\n             c. A centrally maintained and monitored inventory of system interconnections\n                for all NCUA systems that is regularly reviewed (at least annually) for\n                accuracy and that is supported by valid and signed ISAs or MOUs; and\n\n             d. A central repository of applicable valid, approved, and signed security\n                documentation (e.g., System Security Plans, Interconnection Security\n                Agreements, etc.) for each of the contractor systems.\n\n        Agency Response:\n\n        OCIO will update its process for Contractor Systems to address items discussed\n        in the recommendation by September 30, 2014.\n\nOIG Response: The OIG Concurs with management\xe2\x80\x99s comments.\n\n\n\n\n                                                                          Restricted \xe2\x80\x93 For Official Use Only\n                                                       14\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\nAppendix A: NCUA Management Comments\n\n\n\n             {~\n             \xe2\x80\xa2\n              -\xc2\xb7~\\---- National Credit Union Administration - - - - -- -\n                                    >\n              o...,\'~y, ",.,.,. \'l."o\n\n\n\n\n             SENT BY E-MAIL\n\n             TO:                        Inspector General James Hagen\n\n             FROM:                      Executive Director Mark   Treichel~(__\n             SUB.J:                     Independent Evaluation ofNCUA\'s Compliance with FISMA in 2013\n\n             DATE:                      November 20, 2013\n\n             This memorandum responds to your request for comment on the Independent Evaluation of the\n             NCUA \'s Compliance with the Federal Information Security Management Act (FISMA) in 2013.\n             Thank you for the oppottunity to review and comment on your report\'s findings and\n             recommendations. We concur with the recommendations. Below is an outline of our plan of\n             action.\n\n             NCUA made significant progress in strengthening its infonnation security and privacy programs\n             during 2013. OCIO hired an Information Security Officer (ISO) and assigned dedicated\n             information technology (IT) resources to assist in standing up a comprehensive IT Security\n             program in the third quarter of20 13.\n\n             OCIO is currently perfom1ing the foundational activities required to finalize the development of\n             policies and procedures that will establish the framework ofthe program going forward. Once\n             complete, OCJO will transition its resources to supporting activities to achieve its target state of a\n             more sustainable infonnation security program.\n\n             OIG Report Recommendation #1\n             Complete the documentation and implementation of comprehensive continuous monitoring\n             strategies, policies and procedures in accordance with guidance under Information Security\n             Continuous Monitoring, the Risk Management Framework and other NIST guidance.\n\n             Management Response: OCIO plans to complete the documentation and implementation of its\n             Continuous Monitoring program by December 3 1,2014.\n\n             OJG Report Recommendation #2\n             Finalize its Information System Security Policy and Procedure Handbook.\n\n             Management Response: OCTO will finalize the current draft lnfonnation System Security Policy\n             and Procedure Handbook by September 30,2014.\n\n\n\n\n                   1 775 Duke St r eet - Alexandria , VA 22314 - 3428 - 703 - 518 - 6300\n\n\n\n\n                                                                                     Restricted \xe2\x80\x93 For Official Use Only\n                                                                     15\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n\n\n             Page 2\n\n\n\n              OIG Report Recommendation #3\n             Document a comprehensive configuration management program that includes policy and\n             procedures for monitoring, managing, and patching security configurations for all systems and\n             devices.\n\n             Management Response: OCIO will finalize documentation of its Configuration Management\n             program by September 30,2014.\n\n             OIG Report Recommendation #4\n              Establish and implement a baseline configuration for the Macintosh computer(s).\n\n             Management Response: OCJO plans to document its Macintosh computer baseline by\n             September 30, 2014.\n\n\n\n\n              Management Response:    111..111111111111111111111111111111111111111\n             OIG Report Recommendation #7\n             Develop and document a new hire security awareness training program that provides for:\n                 a. Monitoring, tracking, and reviewing the timely completion of new hire training, and\n                 b. Enforcing sanctions for not completing security awareness training within the required\n                     time-frame.\n\n             Management Response: OCIO will update the new hire training process and procedures and\n             address enforcement of sanctions by March 31, 2014.\n\n             OIG Report Recommendation #8\n             Designate OCIO as centrally responsible for managing and overseeing the security requirements\n             for NCUA\'s contractor systems.\n\n\n\n\n                                                                               Restricted \xe2\x80\x93 For Official Use Only\n                                                           16\n\x0cReport # OIG-13-12: Independent Evaluation of the National Credit Union Administration\xe2\x80\x99s Compliance with the\nFederal Information Security Management Act (FISMA) 2013\n\n\n\n\n             Page 3\n\n\n             Management Response: This recommendation requires coordination between multiple offices to\n             recognize OCTO as the party responsible for overseeing security requirements for contractor\n             systems. OCIO will work with relevant offices to update procurement procedures by September\n             30,2014.\n\n             OIG Report Recommendation #9\n             Develop a formal process for maintaining sufficient assurance that security controls for\n             contractor systems are effectively implemented, to include:\n                   a. A centrally maintained and monitored inventory of contractor systems.\n                   b. Periodic review of the system inventory (at least annually) to determine that all systems\n                      have been appropriately categorized as agency or contractor systems as well as cloud or\n                      non-cloud systems.\n                   c. A centrally maintained and monitored inventory of system interconnections for all\n                      NCUA systems that is regularly reviewed (at least annually) for accuracy and that is\n                      supported by valid and signed ISAs or MOUs.\n                   d. A central repository of applicable valid, approved, and signed security documentation\n                      (e.g., System Security Plans, Interconnection Security Agreements, etc.) for each of the\n                      contractor systems.\n\n             Management Response: OCIO will update its process for Contractor Systems to address items\n             discussed in the recommendation by September 30,2014.\n\n             If you have any questions, please do not hesitate to contact my office.\n\n             cc:    DED Kutchey\n\n\n\n\n                                                                                 Restricted \xe2\x80\x93 For Official Use Only\n                                                            17\n\x0c'